Painless Docker - 2nd Edition

Deployment of an OCI Registry

Harbor is an open-source OCI registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. It started as an internal project at VMware and has since become a widely adopted solution in the container ecosystem.

Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud-native compute platforms like Kubernetes and Docker. In addition to being a registry for container images, Harbor also supports storing and managing other OCI artifacts, such as Helm charts.

The registry tool can be deployed using Docker Compose for simplicity and local testing, or using Helm charts for production-grade deployments on Kubernetes clusters. It also has an offline installer that simplifies the installation process on standalone servers. In this example, we will use the installer method. We are not going to focus on the high-availability deployment options, but Harbor does support them. Our focus is to get you started with a basic installation.

If you want to test Harbor, follow the next steps.

First of all, we will make our instance publicly accessible by assigning a public IP address to it. In this example, we will create a self-signed SSL certificate for simplicity. In a production environment, it's recommended to use certificates issued by a trusted Certificate Authority (CA) or use services like Let's Encrypt to obtain free SSL certificates. To generate a self-signed SSL certificate with Subject Alternative Name (SAN) support, you can use the following commands:

# Create directory for SSL certificates
mkdir -p /tmp/certs

# Get the IP address of your server
# We will use it as the Common Name (CN) in the certificate
hostname=$(curl -s http://ifconfig.me)

# Create a temporary configuration file for SAN
cat > /tmp/certs/openssl.cnf <
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = State
L = City
O = Organization
OU = OrgUnit
CN = $hostname
[v3_req]
subjectAltName = IP:$hostname
EOF

# Generate the certificate using the config file
openssl req -newkey rsa:4096 \
    -nodes -sha256 -keyout /tmp/certs/domain.key \
    -x509 -days 365 -out /tmp/certs/domain.crt \
    -config /tmp/certs/openssl.cnf -extensions v3_req

# Add the generated certificate to the system's trusted certificates
cp /tmp/certs/domain.crt /usr/local/share/ca-certificates/harbor.crt
cp /tmp/certs/domain.key /usr/local/share/ca-certificates/harbor.key
update-ca-certificates

Download Harbor installer:

cd /opt
wget https://github.com/goharbor/harbor/releases/download/v2.14.2/harbor-offline-installer-v2.14.2.tgz

# Extract the installer
tar xzvf harbor-offline-installer-v2.14.2.tgz

Configure Harbor. We are going to update the password of the admin user and set the hostname to the public IP address of our server. More configuration options are available in the YAML file. Feel free to explore them.

cd /opt/harbor

# Copy template configuration file
cp harbor.yml.tmpl harbor.yml

# Change hostname to your server's public IP
sed -i "s/hostname:.*/hostname: $hostname/" harbor.yml

# export admin password
password=